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Approach to Securing the 


ity and Comprehensive Security for Cloud workloads and 


ict Management, Qualys, Inc. 


Agenda 


“Shift Left” Migration & Requirements 


Your responsibility in cloud security 
Customer Case Studies 


Qualys Security for hardening and 
standardizing workloads 


Qualys security for Infrastructure 
Use Cases & Demo 


Q&A 


© Qualys. 


The Big Migration... in security, it is happening.. 
Continuous Secure Development and Deployment 


| 
FA © 


DEVELOPERS 


die 


OPERATIONS 


,9 
EI 


SECURITY 


MONITO 
R 


SECURE 
CI/CD 


SECURITY AT DEVELOPMENT 


Y Static Code Analysis 

Y Vulnerability Management 

Y Web Application Scanning 
Y Compliance Checks 

Y Configuration Assessments 


SECURITY AFTER DEPLOYMENT 


» Vulnerability Management 

» Compliance Checks 

» Configuration Assessments 
» Web Application Scanning 
» Web Application Firewalls 
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DevOps/DevSecOps Requirements... 


A à. | | 
(RE > ”, GI Jenkins b os puppet > DevSecOps Engineer 
</> €, Bamboo ay Responsible for 


DEVELOPERS Fog rifacury ANSIBLE automating 


security checks 
| | and remediating 
viable security 
threats in 
development/ 


deployment 
practices 


AUTOMATION & ACTIONABLE DATA .... 


© Qualys. 


The New IT - 
Hybrid, Multi-Cloud Deployment 


A Azure Google Cloud Platfor m 


S 


ON-PREMISE* PUBLIC CLOUD 


Shared Security Responsibility Model 


are responsible for securing 
your data and workloads 


Customer Cloud Provider 


Varies by layers 


Image from Microsoft Azure Shared Security Responsibility © Qualys. 


Securing Cloud Workloads 


Hardening and Standardizing 


VULNERABILITY 
MANAGEMENT 


e Vulnerability Management 
(Internal & Perimeter) 


e Threat Protection 
* Indicators of Compromise 


e Patch Management* 


POLICY COMPLIANCE 


* Policy Compliance (incl. 
Secure Configuration 
Assessments) 


* File Integrity Monitoring 


© 


APPLICATION SECURITY 


* Web Application Scanning 
(WebApps and REST APIs) 


* Web Application Firewall 


© Qualys. 


Securing 
Public Clouds Capitale 


Using Qu 9] S Reduced application 
y releases from 2 weeks to 

24 hrs by automating 

security with Qualys in 


Customer Case Studies vM 


A SOFTWARE aS" A BEVERAGE a 


MAKER © MNC Q 


"Just in time" security 


approvals with end to Enabling DevOps with 
End integration of Qualys automated agent 

Scan and Reports with deployment via Azure 
ServiceNow Security Center 


© Qualys. 


Capital One 
Before: Lack of Security Automation 


Delays Release 


wll? = 
Builders Ce 


Two weeks until the Image (AMD is certified for production 
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Capital One 
Introducing Security at the Source Bake 
Qualys Security into Gold Images and AMI 


APPROVE and 


GOLD NIE QUALYS ASSESS HARBENDED 
an 
p ON DEV p RE EANCES D PUBLISH 
AMAZON MACHINE INSTANCES CI/CD PIPELINE 


IMAGE (AMI) 


o0 
OO 


Custom 


Live Instances 


Bakery process happens within 24 Hrs 
(9 Qualys. 


“Security as Service” 


Integration between Service Now and Qualys 


Challenge 


* Moved almost all datacenters to AWS 


* Keeping up with security “Just in Time" projects with multiple teams 
submitting requests for spinning up infrastructure 


Requirement 
* Automate Vulnerability Mgmt. from Connectors, Scans, and to Results 
* Integrate into Service Now for end to end invocation 


Solution 


Invoke Scan 
process 


Create EUN results 
Ticket EUN link to s3 
bucket 


PUE servicenow. 


Close 
Ticket 
Incl. 
Vuln. reports 


o0 - 


Pre-Authorized WS 
Scanner Appliances 


AWS VPC 


ep 


Company Profile 
Makes software for architecture, 
Engg., construction and Media 


INDUSTRY: Software, Media, 
Manufacturing 


REGION: USA 


CLOUD: 
Primary Cloud - AWS 
Secondary Cloud- Azure 


DEPLOYMENT REGION: 
US East, West 


SERVICES USED: 
ECS IRESNEMRNERS 
Containers 


QUALYS USAGE: 
VM, AV, Scanners 
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À Beverage MNC Company e 


Qualys Automation within Azure Security Center 


Fast growing deployment in Azure 
( added 10K instances in 6 months) 


Problem”? 


Ops wants to simplify the process of 
security tools rollout 


Security wants to participate into 
DevOps 


Solution 


Utilizing Qualys integration with 
Azure Security Center 


Utilize ASC automation to bake 
agents into test subscription and 
review reports with ASC 


ulnerabilities (by Qualys) “© [9 $009 hsrinivasan@qualys.c.. NE 


DEVPASSPORTQUALYS (DEA. WE 
Remediate vulnerabilities (by Qualys) = & x 


PREVIEW 


Y Filter 


^ 


VULNERABILITY NAME VENDOR ^ AFFECT... ^ STATE Xs SEVERITY ^ 


© recent 


Or Enabled DCOM Qualys harivm2 Open Q High 


EI Virtual machines (classic) Allowed Null Session 


Qualys harivm2 Open A Medium 


WE Virus machines 


Enabled Cached Logon Cre... Qualys harivm2 Open A Medium 


T SA databases 


Machine Information Discl... Qualys harivm2 Open À Medium 


$ Goud services (classic) 


Microsoft Windows Explore... harivm2 A Medium 


"I Sege Qualys Open 


Subscriptions Windows Explorer Autopla... Qualys harivm2 Open A Medium 


More services > 


Access to File Share is Enab... Qualys harivm2 Open @ Low 


ActiveX Controls Enumerated Qualys harivm2 Open 6, Low 


Antivirus Product Not Dete... Qualys harivm2 Open 6 Low 


Disabled Clear Page File Qualys harivm2 Open @ Low 


Enabled Caching of Dial-up... Qualys harivm2 Open @ Low 


Enabled Display Last Usern... Qualys harivm2 Open 6 Low 


File Access Permissions for... Qualys harivm2 Open @ Low 


File Access Permissions for... Qualys harivm2 Open 6, Low 


Host Scan Time Qualys harivm2 Open © Low 
Hyper-V Host Information... Qualys harivm2 Open © Low 
Installed Applications Enu... Qualys harivm2 Open @ Low © Qualys. 


Internet Protocol version 6... Qualys harivm2 Open 6 Low 


Cloud Workload Security with Qualys 


laaS Al us 
0000 
0000 
war e 

PaaS* e 


© 


aws O 3 Alibaba Coud ORACLE 
Azure C > aliyun.com 
— ^ Google Cloud lator m i SE 


* PaaS - Cloud Database Scanning - Roadmap 1H ‘19 
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Integrating within the process and response 
pipeline with Partners 


a CU Le] illumio 
Configuration and Change >. 

Management puppet 
Keeping track of assets (CMDB) servicenow 
ue data into SIEM for splunk> 


© Qualys. 


V. Security Center - Overview > Recommendations 


Cloud Integrations 


Azure Security Center (VM) r~ 
“Production d 


AWS Security Hub X Security Hub > Insights 
(beta) 


Insights (37) info 
Summary 


AWS Security Hub = : : =} Google Cloud Platform Myorg v qa 
- Public Preview - Nov 28, 2018!!! | 


ru e Security Command Center 


DASHBOARD ASSET INVENTORY FINDINGS 
e 
LA 
e Assets Findings 
e e en 
Google Security Command Center oo E 
n 2) ] 8 Finding source Findings Severity Level Count Asset Count 
- Beta in December 20 d an m 
Qualys 15 
Severity 4 3 1 
EchoSource 5 
Severity 3 i 2 
Foxtrot Source 0 
Severity 2 5 1 
VIEW ALL FINDINGS Seve 2 2 


Other Integrations 
IBM Security Center ec ins dings summary 


- Dec2018/Jan 2019 eg l 
ipia : | Foxtrot Source 


Finding D 


Alibaba Security Center — mmm 
- QI/Q2 2019 


© Qualys. 


Securing Azure Stack using Qualys 
Qualys is the only distributor of Infra’s VM,PC reports 


© 


Y Qualys Security Solution 
suite - VM, PC, AppSec... 


A Azure 


Y Network Scan using Qualys 
Vulnerability Management 


Y Vulnerability and Compliance 


Infrastruct Reports available from MSFT 
Le a Azure Stack 


o- 


Azure Stack 


Register @ httos://www.qualys. com/azure-stack/ 


December 11, 2018 © Qualys. 


Cloud Infrastructure 


Australian Insurance Company 


Visibility of deployments stop misuse 


of keys 


AWS sent a notice of compromised keys 
A attempting to create multiple accounts in EU 


Use Case 
Identify the resources in EU region, find the Amazon S3 
buckets which are open to public and have the keys stored 


Requirement 

e Identify where the deployments are located 

* Identify Amazon S3 buckets that are public and fix it 

* Ensure best practices are followed by IAM users of the account 


Company Profile , 
Largest provider of Auto ~ 
and Agriculture insurance 


INDUSTRY: Insurance 


REGION: Australia 


CLOUD: 
Primary Cloud - AWS 
Secondary Cloud- Azure 


DEPLOYMENT REGION: 
Australia 


SERVICES USED: 
EC2 S3 RES EMR Cloud 
Front 


© Qualys. 


We need to secure against... 


Misconfigurations 


[| 
E ~ e 
Malicious behavior af) : © 
Accounts & Network ministrative 
Non-standard deployments " pit p 


access 


© Qualys. 


Qualys 
Cloud Inventory and 
Security Assessment 


Unparalleled Visibility and 

Continuous Security Monitoring 

across public cloud infrastructure Cere 
Inventory 


aws 
wee) 


Google Cloud Platform 


COUE 
Security 
Assessment 


Use Case #1 
Visibility into 
your public clouds 


View into 
* Resource Distribution by Type 
* Resources by Region 


Personalize and add custom widgets 


CloudView TRIAL 


DASHBOARD 


RESOURCES 


POLICIES CONFIGURATION 


AWS Dashboard w 


Last 30 Days Y 


RESOURCE DISTRIBUTION BY TYPE 


SECURITY POSTURE BY REGIONS 


en 


TOP 5 ACCOUNTS BY FAILED CONTROLS 


383031258652 


21 


en 
92 


FAILURES BY CONTROL CRITICALITY 


Total Failures 


348 


B HicH 226 
gi MEDIUM 122 


All Regions 


Total Resources 


402 m I | | E 


out... Secu.tInstance VPC 


Total Failures 


348 m inn zs C 
o ge t 122 


TOP 5 FAILED CONTROLS 


Ensure IAM policies are attached only to groups or rol 


criticality PENI 

Ensure access key1 is rotated every 90 days or less 
criticality ESCH 

Ensure no security groups allow ingress from 0.0.0.0/ 


Criticality ES? 


Ensure the default security group of every VPC restrict 


Criticality EZ 


Use Case #2 
E © Qualys. Enterprise 


S3 buckets 


>< resource.type:"S3 Bucket” and s3.isPubliclyAccessible: true 


26 a 


Misconfigured S3 Buckets are ionem: mea n 
vulnerable for data leaks X service ere 

312 169 143 143 d 
KEE | 


Permissions Regularly 
e Review Access Control List 
e Check Bucket Policy 


45 S3 Bucket Access Control List Grant Access to Everyone or Authenticate... HIGH S3 62 16 
Policy : AWS Best Practices Policy Total Resources 78 
46 Ensure S3 Bucket Policy does not allows anonymous access | HIGH s3 64 14 


Policy : AWS Best Practices Policy Total Resources: 78 


Policy : AWS Best Practices Policy ‘Total Resources: 78. 
48 Ensure versioning is enabled for S3 buckets EUR S3 24 54 


| 47 Ensure access logging is enabled for S3 buckets Lea S3 19 59 
| Policy : AWS Best Practices Policy TER ee Td 


Use Case #3 


8 Detect Compromised 
IAM Users 


CloudView 


Amazon Web Services v 


DASHBOARD RESOURCES MONITOR POLICIES CONFIGURATION Hari Srinivasan 


service. type: ”IAM” 


EVALUATIONS SECURITY POSTURE 


Check for: 21 


e Configure Strong Password Policy 661 . eh a10 
fo r ACCO u nt CONTROL RESULT 
+ Enforce MEA for Console Users ne a 
e Rotate IAM Access Keys Every 90 ve | dnl pyar oa a 
Days EN | gege 
e R e m © V e d U n n e (B e S S a ry m li e d e n JR | a | S CONTROL CRITICALITY | 3 Eura pesas keys Weem for DM or mente me disabled 
e A u d | i P r O B e S S venum E | 4 Ensure access key1 is rotated every 9n days or less 


* Create separate user for console & API 
access ( Segregation of duty) 


* [rack password age 
* Deactivate unused keys 


FAILURES BY CRITICALITY 


256 154 


High Medium 
1-21 of 21 
ECE IAM 
ECH IAM 
IAM 
IAM 
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Australian Insurance Company 


Visibility of deployments stop misuse 
of keys | 


AWS sent a notice of compromised keys Largest provider of Auto ~ 
: : : and Agriculture insurance 
À attempting to create multiple accounts in EU 


. INDUSTRY: Insurance 
Requirement 


* |dentify where the deployments are located REGION: Australia 

* |dentify S5 buckets that are public and fix it CLOUD: 

* Ensure best practices are followed by IAM users of the account Primary Cloud - AWS 
Secondary Cloud- Azure 

Solution DEPLOYMENT REGION: 

With Qualys Cloud Inventory and Assessment Australia 

Y Gain visibility into the global deployments SERVICES USED: 

Y Identify S3 buckets that are public and required fixing EC2, $5, RDS, EMR, Cloud 


Front 


Y Identify the IAM users and their security posture 


© Qualys. 


Visibility - Get started with a 


FREE service 


CloudView 
A FREE inventory and monitoring 
service for your public clouds 


Use Case#4 
Misconfigured 


Security 
Groups 


Security groups with default 
rule, allowing access on port 
225569 


With Qualys Vulnerability 
Mgmt. - Identify Security 
Groups exposing Vulnerable 
instances 


X service.type:"VPC" 


EVALUATIONS SECURITY POSTURE FAILURES BY CRITICALITY 
630 383 247 110 137 0 
Total Evaluations Pass Fail High Medium Low 
1-40f 4 
CID 
41 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 [HIGH | VPC 162 83 


List View 


X resource.type:"Instance" and securitygroup.inboundRule.fromPort:22 and securitygroup.inbo 


Ens 
Polic ule.ipv4Range:0.0.0.0/0 and (not instance.publicIpAddress is null) 
Ens E 
Polic] = 
= a EEE pU es 
ee E _ $ = 
0 4 THhOCt  29hOt  : 30thOct ` SthN TthNo 


*] Resource Summary 


i-053a4ff0c8841c8de 457721770691 N. Virginia t2.micro Running 
lambda. test 

i-0c84632aeb811f045 457721770691 Ohio t2.micro Running 
WinApp_1 

i-0fd488181b8329f15 457721770691 Ohio t2.micro Running 


IT App. internal. 1 


Use Case#5 
Correlate with 


Vulnerability 
Data 


Identify vulnerable 
instances associated with 
the security groups 


Reduce effort to pull info 
to SIEM for correlation 


© Qualys. Enterprise 


<— Resource Details: sg-08e84245777aa2a62 


Summary Associations 
Rules 

Instances 
Associations 
Tags 


Controls Evaluated 


i-0b0c3f79a6df4ac05 
AJMdkrh03 


i-056756d302b6dbddb 
AJMdkrh02 


i-04b5914b57a4f0055 
Win2016. Test SMN 


i-09f0a433571db4e0d 
ssm-Windows2008R2 


i-074f89785daa759ad 
Ubuntu-Test-SMN 


i-0b49e28d2d963c228 
Sri grp1 


i-0f40566c694a67ffb 
AJMdkrh01 


ELB 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


Reference Security Groups 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


running 


running 


running 


running 


running 


running 


running 


1-12 of 12 


1 

— 

1 

ET 

14 
= UN 

0 

0 

0 

1 

eent 
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New and 
Upcoming 
Features Remediations 


Threat Analysis 


Reports 


Threat Analysis 


Correlating Vulnerability data to provide risk insights 


Use Cases 

Security Groups allowing 
access on the same ports 
where network vulnerabilities 
have been identified 


Vulnerable EC2 Instances 
with Instance profiles 
accessing S3 buckets 


Coming Dec. 2018 


© Qualys. Enterprise 


< Resource Details: sg-5c324e25 


Summary 


Threat Details 


IMPACTED RESOURCES 


Rules 
Associations OPEN PORT VULNERABILITIES 
at 


PORTS WITH TREATS 
Tag 
mon kee 


Threats 
Controls Evaluated 


240) per Siu 


Actions v | | Show Issues by: Ports 
RULES 
PORT TYPE PROTOCOL PORT RANGE SOURCE PORT WITH THREATS IMPACTED INSTANCES  VULERABILITIES 
80 Custom TCP 0-100 0.0.0.0/0 9 2 2 
8080 Custom TCP 8080 0.0.0.0/0 9 2 2 
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Remediation 
Automate in real time actions to protect against risks 


Make the object private, 
where necessary 


User AWS Lambda 
F PutObject —o— ii @ Deliver event when Ifa 


PutObjectAcl the rule matches 


nee eae ee - Integration into Qualys Cloud View 
reads the state of the ELT , 

bucket, updates to make omina mal 2018 

bucket and its object e Collect evaluation results 


private. * Execute update permissions 
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Coming 
Jan 19 


Cloud Infrastructure Reports 


© Qualys. Enterprise 
Generate reports for CIS 
CloudView DASHBOARD RESOURCES MONITOR REPORTS CONFIGURATIONS Dave Jones (ayays. dj) 


Benchmarks, mandates 
like PCI, HIPAA, eege 
ISO2vVOOT EE m 


: : ; Actions v 
Configure for specific gege 


REPORT TITLE 
PCI Report for MyAWS Storefront 


accounts, and regions PCI Report for MYAWS GER GR mon 


Created date: 05/23/2018 at 00:09:52 Company: Qualys 


Run NOW Created by: Hari Srinivasan Address: 501 The Metropolitan 
User name: quays qd Wakdewadi 
CIS Report for myaws DE Fobi Kor Pune, Maharashtra 411008 
Schedule reports for og 
Report Settings 


daily, weekly or monthly Een. DINH 


Template: Payment Card Industry Data Security Standard (PCI - DSS) v3.2 
Report Summary 
Mandates: Requirements: PCI-DSS 
96.6% 
Connector Name: Account ID: Controls: Total Evaluations: Policies: 
MyAWS Storefront (383031258652) 44 294 1 


Coming Jan. 2019 EMG 


Requirement Posture 


Requirement Posture for Payment Card Industry Data Security Standard (PCI - DSS) v3.2 


land m 


Coming 


Azure CIS 1.0.0 Benchmark Controls ™” 


O h CloudView © DASHBOARD RESOURCES MONITOR POLICIES ` CONFIGURATION Raghav Kulkarni (quays. rk) ^ 
- 40 checks 


Microsoft Azure v 


Azure Assets Evaluated 
5 INZ w re V | rt Uu a | M a G h | N e S 3 1 EVALUATIONS SECURITY POSTURE FAILURES BY CRITICALITY 
Azu re Virtua | Networks Total Controls Evaluated 227. 76 1 51 1 51 


Q Sear Last 90 Days v = 


0 0 


D 


Total Evaluations Pass Fail High Medium Low 
- Azure Blob Storage Gë ees 
FAIL 18 
- Azure Network Security Ge wl Co ` mue mam 
50001 Ensure that ‘Data encryption' is set to ON for a SQL database SQL Servers 7 
g f O u D S SERVICES Policy : CIS Microsoft Azure Foundations Benchmark ote feud. 
Security Center 19 i 
D A Z u r e S Q E D a t a b a S e S SQL Servers 5 50002 Ensure no SQL Servers allow ingress from Internet (ANY IP) SQL Servers 1 4 
Storage Account 2 Policy : CIS Microsoft Azure Foundations Benchmark Se 
M Virtual Machines 2 
® A Z u f e S S (s u r l t y C e n t S fi Monitor 1 50003 Ensure that ‘Adaptive Application Controls' is set to On Security Center 1 
2 more Policy : CIS Microsoft Azure Foundations Benchmark et 
$ S t O r a g E A C C O U n t S 50004 Ensure that 'Automatic provisioning of monitoring agent' is set to On Security Center 1 
S S A Policy : CIS Microsoft Azure Foundations Benchmark Toni Rescurces T 
- Logging & Monitorin 
g g g S 50005 Ensure that System updates is set to On Security Center 1 
S e rV | GG e S Policy : CIS Microsoft Azure Foundations Benchmark Total Rescorcer d 
50006 Ensure that 'Security Configurations' is set to On Security Center ` 1 
Policy : CIS Microsoft Azure Foundations Benchmark Tot ete 
50007 Ensure that 'Endpoint protection' is set to On Security Center 


Coming Dec. 2018 


Policy : CIS Microsoft Azure Foundations Benchmark e 
Total Resources: 1 
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Qualys Cloud Security - 
Comprehensive Coverage 


© 


ews 9 | 
zure i ORACLE = 
22 LE "HR. , Cao GRATE sortian 


laaS PaaS* 


29008 
CSA 
SIE 
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